Hey, everybody. Thanks for coming to what is exactly, definitely not the Penn & Teller Theater, but I appreciate you guys squeezing in.
My name is Alex Damos. I'm here to talk about the ethics of the white hat industry.
Yeah, so if you're here for something more exciting, then now's the time to go.
So a couple, this is supposed to be subtitled, a couple different things. We kicked around different ideas.
You know, this could be Uncle Alex's story time, kids gather around.
It could be me dousing my career in gasoline and setting it on fire.
So we'll see. There's a lot of outcomes that could happen here.
So one disclaimer, I'm here personally. You don't see any corporate logos up here.
If you're a reporter or you're going to tweet who I am or something, quote me or something,
then just say Alex Damos or Alex Damos, dashingly handsome citizen or something like that.
I'm trying to keep the corporate PR people not knowing that I'm even here.
So today, this is a discussion. It's going to be an interactive discussion.
Interactive means not screaming at me as if I'm General Alexander.
We have specific interactive points.
And I'm looking to hear from you guys, and I think, I'm just hoping to kick off a discussion that we can all participate in over the next couple of years.
So I'm going to do a quick recap of why we live in interesting times and the interesting ethical dilemma this poses to us these days.
We're going to talk about some moral frameworks we can use to think about us as an industry and how we each act individually within the industry.
And then I think the most interactive part, the fun part, is I'm going to pose some interesting situations.
And we're all going to talk about them.
And then I'm going to vote on how we would each individually act.
So, you know, this is an open discussion space.
We all come here with very different backgrounds and very different feelings about what's going on in the world right now.
I just hope everybody is responsive, open, and very respectful to each other.
Because I think that's what DEF CON should be, right?
And then at the end, we're going to talk about something you can do.
Okay, you don't have to applaud yet.
I'm like Dan Kaminsky. I'll stop and then see your applause point.
Okay, I'll go, ta-da!
And you can...
Okay, so where am I coming from?
You know, I'm not here to give, to put any kind of moral framework on people.
I'm not here to tell you what to do.
But it's good for you to understand where I come from so you understand my biases.
So I, like many people, my first DEF CON many years ago, pre-Alexis Park.
My dad had to rent the hotel room because I wasn't allowed to.
So, you know, like many people in here, I was self-taught.
As a teenager, I think everybody understands the subtext of what I mean by self-taught.
I've worked after college in defensive roles for big companies.
I started a white hat consulting company that worked out pretty well.
And we have a number of...
One of the best parts of my career is that I've been able to work with some fantastic people
and give some fantastic people an opportunity to get into the industry.
That's one of the things I'm most proud of.
As part of that job, I've worked for big corporations.
And I've seen what it's like to be on the other side of a nation state who wants to do something bad to you.
I have been asked to do stuff for the U.S. government and I've helped in the past.
So, you know, I have been to places like Liberty Crossing and Phenix One.
Those of you who have ironed your shirts and tucked them into your pants will understand where those locations are.
And my work has put at least five people in jail.
So I'm just trying to be honest with you guys about where I'm coming from.
To a certain portion of the DEF CON crowd, I am an InfoSec sellout.
I'm just going to stipulate that right now.
I'm a sellout.
I'm a corporate white hat sellout.
This talk is about the ethics of...
To be a corporate white hat sellout, how you can do so as ethically as possible.
If you're here from an anarchist or InfoSec sucks or anti-sec background, then you're welcome to be here.
But just realize that you're not going to argue me out of this background.
And so I've been doing this for a while now.
And in the last couple of years, I've had to really ask myself why.
It used to be easy to understand why you wanted to get into security.
It was something fun.
It was something you could get paid to do fun things.
Things that you would usually do for free.
And that's how a lot of us slipped into it.
And I think it's a lot harder now.
These days, you really need to sit down and think to yourself, what is my personal goal?
And this talk is really coming out of me doing that for myself.
So, we live in interesting times.
In the good old days, there was really one big ethical decision you had to make.
Do you want to be on the white hat or the black hat side?
And I roughly define this as both of these sides, people like to break things.
Right?
Everybody in this room likes to look at complicated systems, figure out how it works, and then tear it apart.
If you're on the black hat side...
Then you either use that knowledge for personal gain.
You use it to embarrass people or to get your shout outs to your friends.
Or you use it for some kind of political goal.
If you're a white hat, you use that knowledge to try to make that system better and more secure.
And you might disagree with those definitions, but that's what I'm going to use today.
And it used to not be that hard.
You could pick one or the other.
Or both.
As a number of people did.
But the definition was pretty simple.
There's a lot of ways to be a white hat.
Back then and today.
You can work for a big corporate in the internal security team.
You can be an independent researcher by yourself or in a small group of folks who are doing research.
Maybe they're selling bugs.
Maybe they're getting consulting contracts to pay the bills.
Maybe they're living with their parents.
There's a number of different ways you can fund yourself and stay independent.
You could be a consultant in a more structured environment, which is kind of the environment of the company I started.
Or you could be an academic.
I mean, there's a lot of different other ways, but these are kind of the big categories.
But back in the late 90s, early 2000s, when I was getting into this world, the moral dilemmas were a lot simpler.
The big thing we all fought about, and now it seems like we were children fighting about this thing, was responsible versus full disclosure.
The goal of both the responsible and full disclosure side was exactly the same.
I've got a bug.
I want to protect the world as quickly as possible from this bug.
What is the best way to affect that outcome?
And it's still an open discussion, but it's one that seems kind of quaint in 2013.
Right?
Because it presupposes that everybody has the same outline of why they go and they find bugs.
It assumes that everybody just wants to get stuff fixed as fast as possible.
Also, back in the day, you know, choosing what company you worked for wasn't that difficult.
I mean, some people didn't want to work for a bank or something like that.
But now we're in a world where a lot of security companies are dipping toes on both sides of the fence.
They sponsor booths at Black Hat.
They sponsor booths at DEF CON.
They send their employees here.
And at the same time, they're selling tools that can be used to improve security.
To oppress people.
Not just in developing countries, but it turns out in our country and other Western countries.
Back in that day, we had little interaction with governments.
So if you were obviously an incident response, you would interact with Secret Service or FBI.
But you could go your entire career in corporate security from 1995 to 2003 and never have to talk to somebody from the NSA or FBI about just what you're doing to protect your own systems.
That's obviously not true anymore.
And there's a lot of Gray Hat activity.
Like I said, a lot of people chose to be both a White Hat and a Black Hat.
But a lot of it was harmless, right?
Like a lot of the people I know holding onto the vestiges of their past to make them feel like they're still young and cool.
And, you know, writing some malware here or doing something over here.
But a lot of that activity didn't seem really intentionally malicious.
So it didn't compete too much with their White Hat ethics.
So what changed?
Well, a lot of people always ask, when's the future coming?
When am I getting my fucking robot car, right?
And, you know, it turns out the future did happen.
In a lot of cases.
In a lot of different ways.
We live in the cyberpunk future that William Gibson and Sterling and all those guys were thinking about in the 80s.
And that's pretty amazing because the guys who are the sci-fi authors of the 50s and 60s, all of their stuff hasn't happened yet.
But the guys in the 80s were there already, right?
We live in a world where there's corporate to corporate and state to corporate info warfare on a daily basis.
That that is a normal part of our lives is that there are companies that pay hackers who are somewhat paid for by their names.
And then there's the nation state to then break into my company and steal secrets.
Which is like straight up out of two or three William Gibson novels, kind of the base, what the base antagonists do, right?
We live in a world where our country especially likes to kill people with semi-autonomous robots.
Now, I'm not making a moral judgment here.
I'm just saying, wow, James Cameron, way to go, bud.
You really called that one much quicker than I expected to be true.
Obviously, we don't make him look like this.
Because it turns out building like a bipedal titanium robot.
Is the dumbest thing you could do to build like a killer robot, right?
You make them, you know, look like lawn mowers with wings.
And they're way cheaper and they're way more deadly.
And we live in a world where our government is literally trying to sell us on the idea of massive data surveillance being all put together as pre-crime.
As preventing criminal activity via predicting people's actions by looking at their Internet traffic.
And I wish any of these things was an overstatement.
But I don't think anybody here thinks I'm overstating the case here, right?
So, what are some of the fun things that have happened?
So, we have Stuxnet and Flame.
I'm sure most people here have heard of those.
Those are pieces of malware that both were used against the Islamic Republic of Iran.
I'm not going to be doing any, pointing any fingers at any governments that were related.
But I think we all have a feeling of who might have been involved in these.
And I feel this is kind of the final conclusion of the No More Free Bugs movement, right?
Right.
That we now have an open marketplace that didn't exist four or five years ago.
For I find an interesting exploitable bug.
I weaponize it.
And anybody can, whoever the highest bidder is, is finally buying it.
We live in a world where cyber war is real.
Almost any corporation that competes on an international stage is now facing a level of threat that you only played at if you were like a defense contractor in 2003.
Right?
So, back then, Northrop Grumman and, you know, General Dynamics.
And people building planes and bombs.
Nuclear weapons had to really care about their security.
Last year I did a project at a company that makes tractors.
Right?
And you're like, it's a company that makes tractors.
They've got, what, a dozen IT guys.
They've got one security person whose job it is to make sure things are patched.
And you're like, well, who cares about that?
Well, they employ tens of thousands of people.
And they export billions of dollars of heavy industry.
And they have lots of competitors in places like China.
And so, if you just happen to be an exporter in this world.
Then you're going to end up at a level of adversary that was completely unimaginable a couple of years ago.
And what's really scary from that is it's almost impossible for a company that size to spend any amount of money to protect themselves.
Like, the people who are doing the best and holding their own against the Chinese right now is Google.
Google's got like 150 security people.
They've got Windows kernel experts.
They've got OS X kernel experts.
They have people who do their own malware reverse engineering.
They have an intelligence team.
Right?
And they're not winning.
They're holding their own.
Right?
So, like, tractor company is fucked.
Right?
That's basically what that means.
And this is the world we live in now.
Is it competition of what capitalism is all about?
I'd love to talk about that a little bit later.
I'm going to get through this and then I'll tell you when the interactive part is.
But I don't think, yeah.
I'm sorry.
I'm not trying to shut down.
I just want to get through this so we have enough time.
So, we live in a world.
When U.S. software companies are directly attacked to create electronic munitions.
So, those of you paying attention looking at flame, the flame virus had an intermediate
certificate authority signed by the Microsoft root certificate authority.
Microsoft doesn't.
Turns out they don't sell those.
You can't call them up and say, hey, can I have something to sign any of your patches?
You have to steal that from them.
And to steal that from them, it turns out what you do is you invent an entirely new
way of doing an MD5 preimage attack using math that has never been seen before in the
open literature.
And then you apply a huge amount of computational power within a couple hundred years.
100 millisecond window.
And you trick the Microsoft terminal service license certificate authority into signing
a CSR that has an identical MD5 sum as one that you just generated.
This is the equivalent of killing your political opponents with $10 million of polonium when
5 cents of cyanide would have done it.
This tells you something about the authors of flame.
This is the, you know, this is basically the U.S. government being like, oh, yeah.
Yeah, I did it.
Boom.
Drop mic.
What are you going to do about it?
It's like Putin killing that guy with radioactive material, right?
Like, you could just shoot the guy and you would have saved $9,985 or something, right?
And that's to buy the entire pack of 9 millimeter that they, you know, to shoot the guy.
Instead they thought we're just going to scare them and we're going to spread radioactive
material over London.
And this is kind of the cyber war equivalent.
This means that whoever wrote flame was willing to attack a server at Microsoft live, do an
actual attack against Microsoft.
What does that make you feel like if you work at Microsoft, right?
And you have all of this relationship with the governments of the world where you're
trying to do pre‑bug disclosure and you're trying to work with them to make them feel
good about your products.
Oh, and by the way, while you're doing that on the defense side, somebody on the other
side feels like it's open season on your certificate authority, right?
We live in a world where these cyber munitions are basically, you know, somebody else, another
blogger, and I forget exactly who, made a good analogy.
When you shoot a gun at somebody, they can shoot you.
They can't pull the bullet out and throw it back at you.
Right?
But if you throw a rock at somebody's head and you don't kill them, they're going to
throw the rock back.
And that's what the cyber weapons ‑‑ I mean, using the word cyber without irony
is like finding your first gray hair from an infosec community.
So I apologize.
But that just seems to be the terminology people are using these days.
But these cyber weapons are like those rocks, right?
For a short period of time, the only people who knew about a several super critical bugs
in Windows and in the Seaman PLC controller was probably Microsoft.
Probably the United States, Israel, and anybody in Iran who paid attention to running services
in the background.
Right?
In their nuclear power plant.
Which, thank God, this guy is Finnish, right?
Because if Mikko Hypponen and the other folks who have been finding these cyber weapons
in the wild had any kind of other ‑‑ you know, didn't come from a society where they're
totally neutral and all about social justice, we very well could have seen these weapons
turned against all the companies we work for and to our own personal data and uses.
So it brings up a question.
How do you interact with cyber war?
If you're discovering bugs, you know, who's buying them?
Is it offensive or defensive teams?
I've never heard of anybody selling their exploits in a way that they knew.
All they know is there's a customer, but the customer has many, many different components
that could buy it.
What are they doing with them?
Are they using it for foreign use or are they using it domestically?
And what goals are being accomplished?
And something I really think about when you sell bugs to a government, is it the nation's
goals or the government in charge's goals at that moment?
And if you want to know what the difference is between the nation's goals and the government
goals, I see several people with white ponytails, you can ask them about a man named Richard
Nixon and they'll explain to you what happened.
So we also have a world like not on the defense side in the justice department ‑‑ on the
justice side where we have this real problem in our world of the difference between prosecution
and persecution getting really smeared.
For example.
For example, there's a lot of people who are stealing their secrets from their bosses,
which is as old as time itself, salespeople have left jobs and taken their customer lists
with them.
And this is why we have NDAs.
This is why we have non‑competes.
This is why we have civil lawsuits between companies that believe people have stolen
their trade secrets.
But instead we are now prosecuting these people as criminals using the economic espionage
act of 1996 because it happens to be on a computer.
Right?
So if you walked out with a sheath of paper, you know, you would have gone sued in a nasty
letter and maybe you would have had to give it back or you could have lost some money.
These days if you have the exact same data on a USB drive, that turns you into an economic
spy and you're sued.
Like these guys.
Sergei Alindikov who, you know, beat his rap of leaving Goldman Sachs and is now fighting
it again.
Vanity Fair just had a really good profile on him.
And Agrawal, Ben Poo, Sahil Uppal, all people who also left the financial industry taking
some secrets with them.
I don't think they should walk out with the secret codes that allows those hedge funds
to make money.
But I also don't think it's a national security issue.
This is a private business issue between these folks that we now is becoming nationalized
and the sole crushing power of the United States Department of Justice is being turned
against these people.
And then, of course, we all know about the Computer Fraud and Abuse Act.
People like David Nozle who, again, took some customer data out.
Weave who I don't exactly consider him an ethical researcher, but I also don't think
he deserves to be indicted.
He's in jail longer than, say, a rapist.
Lori Drew, who, again, not a nice person.
I don't want to hang out with her, but I also don't think violating the MySpace Terms
of Service is a federal offense.
And Aaron Schwartz, the kind of elephant in the room.
So where I come to this is from my personal relationship here.
Like I said, my work output has been used several times in the prosecution of people
who have done bad things.
And these were, like, legitimately bad things.
Not, like, they stole a book or something like that.
And as part of my penance, I've been doing a bunch of pro bono work over the last couple
of years.
So our company provided pro bono work to George Hotz, to GeoHot, during the Sony case, which
was not a criminal case, but had the same kind of effect of Sony doing everything possible
to cost him money.
I once had a meeting where I was with George's lawyer, who's, like, a real estate lawyer.
And he's like, I'm going to try my hand at Internet law.
Right?
Like, okay.
That's great.
Maybe if my life's at stake, that's probably not what I want to try.
But and so it's, like, him and his friend, who doesn't know anything about the case but
came just to have somebody else on that side of the table.
And me, the geek, and sitting across from us was four big law partners who almost certainly
were collectively billing $2,100 an hour or $2,400 an hour to sit there across from us.
Right?
And that was, like, this is because a guy was able to hack the PS3 and put it on his
blog.
Sony's willing to just bury us in paper.
Right?
And, you know, and obviously that happens to the civil, and there's not a lot we can
do about that.
And then I've worked on Aaron Swartz's case as an expert witness for his defense.
And it made me really think about it because part of my job for the defense was to read
the expert report that the prosecution's expert created.
And I'm not going to say who this is or what company he worked for.
I don't think he did anything wrong.
This is a guy who works at a reasonably well-known consulting company who was approached with
we'd like you to do some forensics on these machines and tell us what happened.
And he wrote a reasonable workman's report.
Saying, hey, there's these Python scripts and they download these things and I found
this in the logs and it looks like he changed his MAC address and changed his IP address.
We had a couple of things we're going to hit him with on the stand.
But honestly, he didn't lie.
He didn't make things up.
But his report was then taken by the U.S. attorney's office and twisted and turned and
pulled out of context to turn into Aaron Swartz as this super hacker that was destroying MIT's
network and JSTOR.
And if I was him, I would be really pissed.
Right?
Right?
So I think that my work product had been utilized in a way to persecute and hound a
man to death.
And it made me really think, like, how are we supposed to do that?
What is our role here?
Is our role as technical experts just to tell the truth and then it's other people's job
to make sure justice is done?
Or do we have a more active requirement to participate in justice being served in the
technical world?
And then obviously we have the NSA scandals where all the crazy people, basically everything
they've been saying for years.
It's true.
I apologize to every crazy person that I dismissed at a DEFCON party, you know, with, oh, that's
nice.
Oh, that's really interesting.
I got to go.
I got to talk.
Yeah.
You know, all those people were right.
Which is not great.
And I keep on hearing from people, well, I always knew.
And the answer is no, you didn't.
You always suspected.
A lot of us always suspected this stuff was going on.
But now, yeah, this isn't a secret slide, sir.
This is from the Washington Post.
So you don't have to read it too closely.
I'm not leaking anything more here.
We suspect it and it's different than knowing.
And I think the reason that's important is this thing called the Overton window.
Who here has ever heard of the Overton window?
Okay.
A couple of poli sci majors.
So there was this guy, Joseph Overton, who's a political science professor who came with
the idea that ideas are not always the answer.
And he said that the most important thing about the public accepting an idea is whether
it's considered within the window of acceptable discourse.
Right?
So he talks a lot about the need for movements for change to have radicals.
So for example, you know, in the civil rights struggle, Malcolm X was a radical whose ideas
were not accepted at any time by more than a couple of percentage points of the population.
But he had the effect of being the crazy person outside of the window and therefore expanding
the Overton window of what was acceptable political discourse for civil rights.
In which Martin Luther King and others were able to step right in and be considered
once again within the political center.
I think what's interesting about this, the NSA stuff, is that from a conspiracy perspective,
it changes what our Overton window is.
Right?
So this was like a year ago my Overton window.
I knew that the U.S. government was making malware and using it against adversaries.
I have no moral problem with that.
I'm just going to say it.
I have no moral problem with Stuxnet.
If you're the president of the United States and they come to you and they say, sir, you
can either choose.
You can choose to drop a bunch of bombs and our damage assessment says that we'll probably
kill, you know, ten people and half of them are going to be children.
Or we can use a virus and sneak it in on the iPod.
Like, obviously the moral choice there is the virus on the iPod.
Where it gets difficult is then what do you do after that to make sure that other people
are protected from those bugs?
And then also, you know, how far do you go?
I mean, it's one thing to do like a nuclear facility at the Iranian government.
Now it's like the agricultural department at the Iranian government.
Now it's the agricultural department of France.
And now it's American citizens, right?
So obviously there's a continuum there we have to be careful of.
But, you know, I always knew they were doing that.
I didn't think that was a big deal.
Clearly we all knew there was widespread sniffing of overseas traffic.
You know, the fact that every fiber optic cable in the Middle East just happens to break
every six months.
Like, either the, you know, the Greek and Filipino captains of those ships moving through
there have really been drinking too much Uzo and whatever the Philippine drink of the
choices.
Or maybe that's a great way to cover for submarines tapping fiber optic cables.
That somewhere you drag it, you cut it there.
And while that thing's cut that you're doing the tap over there and they repair it and
we're all good.
And now we're able to get all the traffic moving in and out of Saudi Arabia or Iran,
right?
So, you know, I always knew that kind of stuff was happening.
I thought maybe there's some malware going on against citizens.
You know, maybe every once in a while mobile devices are used and turned against people.
There's a slight possibility of there being crazy crypto breakthroughs.
And then I think also, you know, I don't know.
All of us living through this, that Overton window expands, right?
Because we know for a fact the stuff in this center is happening.
And then we know for a fact things like widespread U.S. sniffing happens.
So it expands our entire window of what we think is a possible something that we'll
even discuss in open.
Like, I am now willing to discuss the possibility that the NSA has, knows how to break Diffie-Hellman
because they have a polynomial time solution for the discrete log problem across the general
integer field.
That's something that a couple years ago I'd be like, ah, that's crazy.
And now, you know what?
I gave a talk about it at Black Hat.
So obviously it's within my Overton window.
You know, still there's some things.
I'm not there yet, right?
But if it turns out we go another ten years and Bono still does not age, then we're going
to have to redo this slide.
So what do you make of all these changes?
Well, it is an exciting time to be in our industry.
But those exciting times means I think we have to make much more intelligent and thoughtful
decisions about how we act.
Okay.
So some ethical frameworks for this.
How do we make sense of the things that happen?
So we are born with only very basic moral and ethical frameworks.
And I'm not going to get into discussion of morality versus ethics.
I was an electrical engineering major.
Any philosophers here are willing to take up the discussion outside without me participating.
I'm kind of using them incorrectly together.
But, you know, we're born with only the most basic understanding of what right and wrong
is.
And obviously even that basic understanding can be overridden by things we learn later,
as every atrocity in the 21st century attests to, right?
Is that you can make humans do anything if they think in the big picture that they're
doing something right?
I was only following orders, being the phrase that you'll hear over and over again.
We make decisions based on frameworks that are given to us by our parents, by our society,
by our family, by our friends.
And if you want to make informed decisions, then it's really important for you to think
about where do these come from, right?
Why do I feel this way?
And do I choose to continue to use this framework or am I just going to leave it behind and
try to find something else?
So some frameworks that are pretty common, patriotism and nationalism.
Again, two words that don't exactly mean the same thing.
But you can find 40,000-word treaties debating on which means which.
So I'm not going to apologize.
I'm an American.
I'm proud to be an American.
I'm the grandson of immigrants who worked very hard to get to this country from really
shitty conditions, like kind of ridiculous, I'm raising sheep on the side of a mountain
and there's no running water kind of conditions, right?
And, you know, my great-grandfather came here and he was and then he went
through Ellis Island.
And they're like, you're now Charles Stamos.
And he's like, I love America, right?
And, you know, and that when you come from an immigrant family, the rest of you who understand
that, understand that that kind of pride lives down because, you know, he busted his
ass and starved on a ship for six months so he could come here and do something great.
And that's why I had like a grandfather who dropped out of school in fifth grade, came
here, the U.S. Army took him because it was World War II and they're taking anybody.
They're like, oh, you don't speak English?
Great.
We'll work on that.
Right?
And, you know, learns English.
Learns English in the Army.
And then the G.I.
Bill pays for him to do electrical engineering classes and he dies as the manager of a huge
engineering team at Pac Bell.
And that's like something that's pretty special for our country.
So I want to be proud of my country.
But what does that mean?
Right?
Which of these is the United States?
Is it the dirt we live on?
Well, obviously the dirt that comprises the United States has changed all the time since
1776.
And the ideas have not.
And, you know, I don't think the United States is going to be massively different than the
United States is going to be massively different if Puerto Rico finally gets statehood in
the next couple of years.
Is it the government that currently is in power?
No.
These people work for us.
Right?
I have no loyalty to them.
Their loyalty is to me as a citizen.
I don't think we have any loyalty to the people who are in power.
I think it's really stupid to put the President's face up on the wall at the post office.
Right?
Like, he should have our faces on his wall.
That's how that works.
Is it the citizenry?
Well, I think I am proud of him.
Fellow Americans.
But our pride is a little funny because if you live in Europe, you're proud ‑‑ or
let's say Japan.
You live in Japan, you're proud of being Japanese.
That means you're proud of a continuous people that have existed for thousands of years.
And America, when you're proud of Americans, you're talking about, like, how many people
here became ‑‑ anybody here become an American citizen in the last year?
Right.
You guys are just as American, hey, Mira, as I am.
And I'm proud of you guys, too.
Right?
So obviously, you know, saying that you're proud of the citizenry is a difficult one.
And I kind of figured it out.
I'm actually proud of the ideas.
Right?
The idea of limited government, the idea of us not trusting government, the idea that,
you know, if you read the Federalist Papers, you realize the founders weren't actually
crazy anti‑government people.
What they realized is that good people, when put into systems that give them power and
perhaps warped incentives, that they started to act against the interests of the people.
And that's why we created a government with three parts fighting each other.
Because they understand that human beings ‑‑ even the people that are in the government,
the best human beings are fallible.
And I don't think the guys who are doing all this crap in the U.S. government right now
are bad people.
So I got dinner with General Alexander a couple nights ago after his ‑‑ the night before
his big talk at Black Hat.
I didn't know I was going to go, but I got invited to this thing, which was a lot of
fun.
Because one of the memories I'll take to my death bed will be Jennifer Granik grilling
him for three hours, like, over a very nice blackened cod.
It was, hmm.
And then ‑‑
And then watching Jennifer take it to him.
It was, you know, something that was really enjoyable, right?
But, you know, so General Alexander, right, he said this a little bit in public, but in
private, you know, a big part of his thing was I really want to defend the Constitution.
But where he's coming from is he's been to Sarajevo, you know, during the Yugoslavian
war and stuff.
And he says, you know, don't overestimate how much cohesion there is in any society,
right?
Any society can fall apart if there's a little bit of strife.
Very quickly.
And then he also says, you know, he admits, our country went crazy after 9‑11.
What do we ‑‑ if that happens again, if an equivalent attack happens again, then
you can just kiss the whole bill of rights goodbye is his theory.
Which may or may not be historically accurate, but it's the kind of thinking that he feels
he's the good guy.
He feels he's doing the right thing and that he has the same goals as all of us.
He just has a framing that allows him to do almost anything up to actually, like, performing
a military coup, right?
Like, if you're framing ‑‑ if you're framing this ‑‑ if you're framing this, then you're going to do a military coup, right?
If you're framing ‑‑ if you're framing this, then you're going to do a military coup, right?
And if the next terrorist attack is going to destroy the Constitution of the United States,
then you will do almost anything to get there.
And so that's why I think it's really important, you know, he said over and over again, my
oath is to the Constitution of the United States, and I think this is not an illegitimate
framing to make your moral decisions in the scope of patriotism or nationalism, but it
should be in the scope of the idea that you like, not in the scope of the people or the
government, which are made up of fallible people that make mistakes.
Another way you can think about this is, you know, the nation state is
not the only group you owe responsibility to, right?
We have this whole hierarchy of people who rely upon us for stuff.
So in the core of that for me personally is family.
So I've got three kids.
I chose with my wife to bring them into this world.
They didn't choose that.
I have a responsibility for them until they die.
I mean, that responsibility drops off a little bit when they turn 18 and get to kick them
out, but I still have, like, a long‑term responsibility for these creatures that I
brought into the world.
And who here is a parent?
Let's see.
Yeah.
And I think everybody understands that, right?
It's the kind of thing that you hear about.
When you're 23 and you're like, oh, fuck you, you fucking old person, right?
But then you live through it and you understand, you know, that's, like, your core responsibility
and that's something that you have to, you know, underlie a lot of your decisions.
And so in the short term that means there are certain decisions you can't make, right?
Ed Snowden would not have done what he had done if he had kids.
I guarantee it, right?
Because he would have orphaned them.
And that's why I can't do what Ed Snowden did ever because, you know, I have a responsibility
to my family that overrides any other basically ‑‑ any other thing that I can do.
And that would happen.
I mean, unfortunately, this responsibility to your family is how a lot of totalitarian
societies have turned people into soulless monsters, right?
But it's ‑‑ that's biology.
That's what we have to live with.
And then you have a responsibility to your friends, your colleagues.
Colleagues ‑‑ I have it blended up here, but the colleagues that you just happen to
work with versus the employees you hire turns out to be a really difficult and interesting
moral conundrum, right?
When you hire somebody, you're making implicit and explicit promises to them about, like,
hey, I'm going to pay you every month or twice a month.
And also, I'm not going to ask you to do crazy things.
I'm going to ‑‑ I offered you a job that obviously was in your moral framework.
And I'm not going to massively renegotiate that later.
That's something we have to really think about.
Those of you here who either currently own or who want to be small business owners, when
you're at the point where you're telling people, yeah, this is your job, and then you go through
a rough time and you're like, holy shit, we might not make payroll, and you realize
there might be 20, 30, 40, 50 people who might not make their rent checks, it really changes
your opinion of what you need to do for those folks.
You might feel some obligation.
That's obviously the kind of thing that was different for our grandfathers' time.
I'm not going to say grandmothers, because most of them didn't have corporate jobs.
You go and you work, you spend 50 years, you get the gold watch, has changed a little
bit.
In other societies, not so much in the United States, we have the idea of tribes that people
have responsibility to.
Tribes that have existed much longer than the nation states that the British just happened
to draw around them.
Our society or our civilization, there's a sci‑fi author who likes to say I'm proud
to be part of a civilization, that he's proud to be part of Western civilization, which
is an interesting little argument.
Our nation and then our species.
There's all kinds of ways that this is not a hierarchy that always exists.
Clearly, if your friend kills somebody and you think this is a dangerous person and you
turn them in, your responsibility to your society overrode your responsibility to your
friend.
Although I don't know a lot of people who turn in their kids no matter what happened,
right?
How many parents here would turn their kid in if they did anything bad?
Almost nobody.
You did?
Okay.
Are you Robert Moore?
Yeah.
Moore Sr. has passed away, so I thought he wouldn't be here, but that would be a good
example.
Let's see.
We also, you know, we haven't really talked about this as an industry, but there might
be the idea that we have kind of universal moral obligations.
Medicine has this.
You know, there's traditionally Hippocrates and the Hippocratic oath.
Doctors don't take that anymore.
They take this thing called the oath of lasagna, which I know it's funny, but literally a guy
named Louie Lasagna wrote this new oath like in the 60s.
And I recommend you read it if you're interested in this area.
And the reason medicine has this is the medicine was the original kind of scientific priests,
right?
These are the people that, they're priest-priests who just kind of made it up, and then there's
a scientific priest who used observation and knowledge to make people better, and that
put them in a super powerful part of society.
And so doctors decided 4,000 years ago that that gave them some kind of responsibility.
We are the technological priesthood of the 21st century, perhaps of the third millennium,
right?
If you, everybody here has fixed their family's computers, every time you do that it reminds
you of the incredible complexity of the world that underlies our data activities that the
vast majority of people do not understand.
And we do.
And so maybe that gives us moral obligations just like doctors have always had.
So some options for that would be the idea that all people deserve for their technology
to be trustworthy, right?
And this means all people.
This would be the equivalent of doctors saying that they're not, you know, in the Geneva
conventions.
If you go into a military hospital and you're an enemy combatant, you are supposed to be
treated just as well as somebody on the friendly side, right?
And that's something that's drilled into military doctors, that they will risk their
lives to save the lives of people who their coworkers just shot, right?
And so that's like how deep it is into the military world.
Obviously we don't have that kind of thing in technology.
But maybe we do need to have that.
The idea that the Internet needs to be a tool of liberation versus oppression.
Now this one's dangerous because there's a lot of people that think, you know, I want
to be liberated from the oppression of pornography, right?
So therefore we should filter the entire Internet and we save all of the children from the porn.
So you can define the word liberation in ways that can be very oppressive itself.
Or just the idea of first do no harm.
That if you're making any specific decision, even if you can't make things better, that
at least you're not going to make things worse.
So if you start to go down the idea of universal ethics, you always end up in this weird slippery
slope argument, which was best argued by a guy named Peter Singer in 1971 in this famous
paper.
Neither our distance from a preventable evil nor the number of other people who in respect
to that evil are in the same situation as we lessens our obligation to mitigate or prevent
that evil.
So basically he's saying the two biggest excuses you have for not doing something right,
which are somebody else's job or that's far away, I don't know that person or it's physically
far away, are bullshit excuses.
And he was making this argument specifically for world hunger.
He was basically saying who here likes it that there are children who are dying who
are hungry?
Nobody, right?
It costs every child to have food.
Therefore, if you don't take every dollar you own above what is required to feed your
own children and send it to those children, then you are morally repugnant.
You have fallen short of what you could possibly do.
Now that's a pretty crazy argument that would, if everybody did this, society would fall
apart as we all send money to each other, right?
And nobody had any kind of, you know, there would be no idea of a consumer.
But it's the kind of thing you've got to think about when you think about other kinds of
ethics that people have gone to.
It's this idea that you can aim for, right?
We're not going to hit it, but it's something to think about.
And then another reason people do things is for personal legacy, right?
Some people say I'm reducing human suffering.
I'm creating general economic benefits.
So you know, a lot of people laughed when the Goldman Sachs guy said we're doing God's
work, right?
Which I thought was funny, too, but I think he honestly believes it, right?
Like one of the great things in the last 30 years has been billions of people rising
out of poverty in Asia, and that's not because of us shipping them bags of rice with an American
flag on it.
That's because they were able to self-organize, mostly into corporations, to then sell goods
and services that the rest of the world wanted to buy.
And so you can make an argument that the guy who started Tata Motors is one of the great
humanitarians in the world.
I mean, I'm sure he treats his people horribly, and there's all kinds of bad things about
Tata, but he also took, you know, millions of people who worked out in the fields and
were on starvation wages and gave them reasonably good jobs.
So I mean, that's an argument some people have.
Making your own family wealthy, building something that lasts, if you study engineering, especially
the civil engineers, they love the idea of building something that will last for hundreds
of years, so even when they're gone, that their work lives on.
And then not being forgone.
So that's building a bridge and then putting your name on it, right?
So something to always think about, though, if you have the ability to sit down and think
about these things when you pick a job, then that means you are rich and lucky, right?
Because the vast majority of the world just has to do whatever they can do to feed everybody
who they're trying to feed, right, and their family and their friends.
The rest of us, we're all super lucky, so we should never forget the fact that while
we talk about these ethics, it's only because we're rich.
It's only because we have the ability to pick and choose our jobs and our careers that
we can do so.
Okay.
So here we're going to get to the interactive fun part of it, and by fun, probably not
fun.
So the way I'm going to do this is I'm going to pop up some ethical conundrums, and then
there's going to be a multiple choice.
So I'm going to read the conundrum and the multiple choice answers.
Please don't say anything or hoot or holler or whatever.
You can laugh if it's funny.
That's fine.
And let's be respectful to each other, and I'd really like, I'm going to poll the audience
to vote.
You can vote and raise your hand on the one that you would honestly do.
And this is supposed to be a safe space, so let's not judge each other.
I think we really want to see what this group would do in each of these situations.
Because it would be really easy for us to group think this and go like the hardest core
crypto anarchist side, but in reality that's obviously not true because a lot of people
in here, if everybody in here acted that way, then the InfoSec community wouldn't be in
the problem it is right now, right?
So let's be honest about how we do these decisions.
Okay.
Who here played Ultima IV?
Yeah.
Old people.
Whoa.
Yeah.
1985.
First video game that basically had a morality system and the way you generated your character
was it would ask you these questions and then you'd make a decision and then your character
would come out of it.
Which the first time you did it you actually answered them and then you got your computer
gaming world and you figured out the cheat sheet of how to build the best character by
answering it.
But for a while it was a pretty cool moral conundrum thing that you would go through.
So that's kind of what we're doing here.
Okay.
So the first question.
Kind of this is the easiest.
This is the warm-up question.
You find a critical remote exploit in a very widespread product.
What do you do?
Do you publicly announce the flaw immediately?
This is the full disclosure answer.
You wait and build a black hat talk around it.
C you perform responsible disclosure and you give deadlines to what you consider reasonable
deadlines to the manufacturer to fix it.
D you use it to basically blackmail that vendor to sell them consulting.
You're laughing.
This happens all the time.
E you weaponize it and you sell it to either directly to your government or to somebody
who you know is going to give it to your government.
F you weaponize it and you sell it to somebody and God knows where it's going to go after
that.
But that makes you more money than say E. Or G you use it yourself for fun or profit.
So who here would do A publicly announce who's a full disclosure person?
Wow.
Only two full disclosure people.
B build a black hat talk.
Okay.
Excellent.
C perform responsible disclosure at deadlines.
Wow.
Awesome.
D?
Okay.
Excellent.
I know who you are.
E?
You'd weaponize it and sell it to your government?
Okay.
F weaponize it and just sell it.
Yeah.
Okay.
And G use it yourself.
Oh.
Decent number of people.
Okay.
That's fine.
So it seems that we're still a responsible disclosure cloud.
That's interesting.
That's my answer, too.
I'm a C guy.
Okay.
Next question.
Your job is to perform instant response.
You successfully uncover a legitimate breach, like an actual break-in, not some stupid little
violation.
And then figure out who the attacker is.
You either work for this company full time or a contractor.
It doesn't really matter.
You write a report.
You give that report to the bosses.
The bosses give it to the U.S. attorney.
And all of a sudden you find out later that they're pushing for extreme penalties.
I'm not going to define what that is.
To you, this seems extreme, whatever they're pushing for, for this person.
Do you, A, say, well, you know what?
I'm just going to do my job.
I'm going to assist the prosecution, whatever they ask.
It's not my job.
There is an adversarial process here that's supposed to save this person.
B, you do nothing.
You try to stay out of it as much as possible.
You've done your part.
C, you gently work on the inside to try to get it reduced.
But you don't do anything past that.
D, you outright say, I'm not going to participate.
You cannot put me on the stand.
Do not call me again.
E, you call up the defense and you volunteer to testify.
This may or may not be legal within your jurisdiction.
You can ask Kurt.
F, you publicly take a stand.
You violate your NDA and possibly a court order.
What are those called?
A protection order that protects the data.
Whenever you do expert witness stuff, a federal judge gives you an order that you agree to.
So you end up saying, fuck you, federal judge.
I'm going to take a public scan to save this guy.
So, A, who would ‑‑ yeah, that's going to be a hard one in this crowd.
Good bravery, one person.
B, do nothing.
You did your job.
Okay.
That's a reasonable one.
C, gently work from the inside, but don't go past that.
Okay.
I think that's the largest so far.
D, outright refuse to participate.
E, volunteer to the defense.
And then F, go nuclear on Twitter.
Okay.
So I think ‑‑ I think it was C or D in a lot of ‑‑ in both situations.
That's actually where I am personally.
Somewhere between C and D.
In my ‑‑ what I've ‑‑ just my little bit of legal experience.
Pissing off a federal judge is a world of hurt that you don't want to enter.
And, again, I'm not going to put my kids through that.
Volunteering to testify to the defense, again, is probably illegal in a lot of situations.
So I'd probably do what you guys said, which is good.
You were approached by a member of your government's national security apparatus in a friendly manner.
So they're just like, hey, how you doing?
They say they want to chat about some kind of technical issue.
You don't think you've done anything wrong.
This is an investigation to you.
This is just a friendly chat that they want to have.
Do you, A, say, yeah, sure, let's go grab a beer?
B, say, oh, I'm not going to do that.
I'm really busy this week.
I'll totally call you back and then do the girl thing and slip them the wrong number.
C, say, oh, feel free to send me those questions and I'll answer them by e‑mail or we can set up a time in my office with my attorneys present.
D.
Or E.
Okay, so A, who would do A?
Take the meeting.
Oh, decent number of people.
Probably about a quarter of the room.
B, politely try to get out of it.
More than a few women.
I understand that.
Okay.
C.
D.
And E.
Let's hear your weaving, sir.
Let's hear it.
No.
Yeah.
So here's one I have to admit.
I did A last year.
These people from the NSA said, hey, can we grab a beer?
We'd love to talk to you about the dot secure stuff you're doing and your standards and
NIST and all this.
And I sat and I bought them beers and we sat by the pool at Caesar's for two hours and
talked.
And nothing bad happened.
But this year, no.
This year I would be a C, I think, like a lot of you.
Now, I don't think we should isolate ourselves.
I don't think we need to be we'll never talk to feds, I'll never talk to anybody from the
government, because that kind of isolation takes away our power to influence them.
Again, they work for us.
We don't work for them.
So we should not isolate ourselves.
But I think, especially as like Martha Stewart learned, you know, sitting with somebody who
works for the federal government means that the tiniest little mistake could be considered
a federal felony.
And so I don't think we're at the point where any of us can interact with at least the
United States government in any way without attorneys present.
It's just not safe.
Okay.
We'll do this a little more quickly.
You work for a respected cloud company.
In the course of your duties you find a software hardware collection mechanism, basically a
back door.
You bring it up to your boss.
The boss tells you to drop it without giving you any more information.
Do you drop it, escalate within the company, quietly look for a new job, publicly quit
or pull out the Guy Fawkes mask?
So A, who would just drop it?
Okay.
B, C, who would quietly quit?
D, publicly quit?
And E?
Okay.
Yeah, I mean, this one I'm probably between C and D depending on what I think the enforceability
of the NDA is and whether there's any criminal penalties.
I'm hoping people at Google feel the same way.
You work for a well‑respected company.
Your boss hands you an order to turn over cryptographic keys from the government.
Under the current legal frameworks of that government the order is considered legal and
you have no recourse.
Do you comply and just forget, drink yourself to oblivion?
Refuse to comply and stay silent.
Say I'm not going to do it.
You're going to find someone else to do it but do nothing else.
C, quietly look for a new job, perhaps after B.
D, publicly quit and protest.
Talk publicly and risk prosecution.
Or E, I would be happy to do that, sir, but due to the combination of us using the hardware
security module, separation of duties between me and somebody within a different legal jurisdiction,
and our implementation of security.
certificate transparency, me doing this will have ramifications that I don't think you'll
like. Please decide whether or not you would like me to proceed now that I have informed
you that it will almost certainly demonstrate to the world that you asked me for this.
So obviously I'm telling you E is the right way to do it.
But E requires forethought. That's why I brought this one up. You can't do E at the
last second. If there's a backup key on a USB disk and it's sitting in front of you,
you can't pull this. This is what I'm personally doing with E. I'm building a service that
has to be trusted by people around the world. And so we will be ‑‑ I am backing myself
into a corner that I cannot get out of. And I will leave it up to any law enforcement
that wants to come to me to force me to do anything to decide which poison they want,
either violate certificate transparency by not having it in there or putting a cert in
certificate transparency and the whole world knows that it's coming out.
Don't clap for that. Okay. You work for a security hardware company.
You work on a product that has legitimate uses like an IDS. But you find out that countries
are using it to spy on their citizens. Do you do nothing?
B, start internal campaign to try to change the company selling it to these folks.
C, work to make future versions of the product less dual use.
D, quietly look for a new job. E, publicly quit and protest, perhaps violating
the NDA. So A, who would do nothing? That's a reasonable thing. That's like if you're
a gun manufacturer, you think the same way. I build a gun. A gun is not a moral object.
People use it in a good or bad way. That's not what I'm doing. That's not what I'm doing.
That's not under my control. B, who would try to change the corporate culture?
Yeah. That's a reasonable thing. Good luck. It won't happen.
C, work to make it from a technical perspective. Yeah. D, quietly quit. And then E, once again
go nuclear. Yeah. So this is a tough one. And this is
something that people who work for, we'll just call them green jacket face every day
apparently. So we don't have time for any other good ones.
So what I'm going to do, so what I would like you guys to do, you don't have to do anything.
Moral authority here. But this is what I think would be a good thing for you to do. Try to
live an examined life in the InfoSec community. Think about what you want to do now. Don't
get caught being asked to do something unethical or against your ethical means and not having
thought of it. Because it's really easy to say yes when you're in the room and you're
under a lot of pressure. Teach others from your own experience. Again, the people with
great ponytails here have lots of good stories about this. Teach the younger people who are
just getting started in their careers about how to make these decisions ethically. Be
honest and open with yourself.
And think about your moral limits before you reach them.
And so something you can do right now is there is a letter for supporting reform of the Computer
Fraud and Abuse Act. This letter has been signed by Jeff Moss. Who else? I'm blanking.
Ari Schwartz. I'm sorry. Corey Doctorow. Ari. Ed Felton. Avi Rubin. Yeah. Lots and
lots of people, security researchers in academia and publicly in the public world, the private
world have signed this. You don't have to sign it on behalf of your employer. This is
just for you. If you'd like to get on this open letter before it goes public and anybody,
any of the hoi polloi can sign it, there are folks up here from the EFF with paper
copies that you can sign. So we're out of time. So if you guys want to chat at all,
I'll be in the hallway. Thank you very much for listening. Thank you.
